18 Dell EMC SC Series and Active Directory Integration | CML1135
4 Active Directory user and group access
For detailed information on granting access to directory users and groups, see the Dell Storage Manager
Administrator’s Guide for your version of DSM.
Consider the following when granting access to an Active Directory user:
In the case a directory user has been given access to the SC Series array directly and also belongs
to a directory group that has been granted access, the local user permissions will override the
mapped group permissions.
A directory group mapped to the SC Series array with Volume Manager or Reporter privileges must
be mapped to a local SC Series group. The local SC Series group determines which folders the users
in the mapped directory group have access to. A directory group mapped to the SC Series array with
Administrator privileges does not require mapping to a local group because administrators have
access to all folders in the SC Series array.
SC Series supports authentication of a user in up to 16 nested groups.
64 AD groups can be mapped to a single SC Series group.
4.1 SC Series permissions
If a directory user has Administrator permissions to the SC Series array, the permissions level cannot be
changed (downgraded) to Volume Manager or Reporter. However, user permissions can be changed from
Volume Manager to Reporter or vice versa.
Like directory users, directory groups that have Administrator permissions to the SC Series array cannot be
changed (downgraded) to Volume Manager or Reporter.
Permissions for a directly-mapped directory user can be changed, but not if the access is granted through
membership in a group.
When a directory user is a member of more than one directory group with access to the SC Series array, the
least restrictive permissions apply. For example, if a user is a member of Group 1 that grants Reporter access
to the SC Series array (more restrictive), and is also a member of Group 2 that grants Volume Manager
access in the SC Series array (less restrictive), the user is granted Volume Manager permissions when they
log in.
4.2 Active Directory account maintenance
4.2.1 Granting access to user and group objects in a child or trusted domain
To allow access to users and groups from child or trusted domains, it is important to understand the three
types of groups (universal, global, and domain local) within Active Directory.
A universal group can contain users and groups (global and universal) from any domain in the forest.
Universal groups do not consider trust. Universal groups can be a member of domain local groups but not
global groups. Because SC Series arrays requires a two-way trust in order to grant access to non-local users,
using universal groups for SC Series access is not recommended.